The Application Security Challenge

If you are a security and risk professional working with software developers and quality assurance teams, a familiar sight on Gantt and Pareto charts is a tiny red light among all the green ones, which tends to go unresolved until the last stages of a product release: security testings.

Software applications support the most sensitive and strategically important business processes of most enterprises. Yet application security is one of the most neglected fields of cybersecurity. According to “The State of Risk-Based Security Management,” conducted by the Ponemon Institute, organizations’ IT budgets for network security are, on average, 25 percent more than that for application security. This is despite the fact that the application layer is twice as risk-prone as the network layer.

Why You Need to Ditch the Bandages

Every software application, Web or mobile, has a bug waiting to be discovered. While applications are growing at a rapid pace across organizations, the task of securing them usually falls on a severely understaffed IT team. And because security is treated purely as a technical discipline, its measurement — particularly its effects on business outcomes and overall risk posture — is often informal at best. A Gartner analysis titled “Risk and Security Management in Midsize Organizations” found that a majority of organizations do not have a formal mechanism to assess organizationwide risk. This could mean that unacceptable threats routinely go unaddressed, leaving organizations noncompliant with external regulations and ultimately vulnerable to attacks.

What happens when there is little understanding of where the work involved in securing applications begins and ends?

  • The “Band-Aid®” Approach: Activities for assessing, prioritizing and remediating application vulnerabilities are ad hoc, fragmented and carried out at low levels in the IT security organization.
  • The “Ostrich With Its Head in the Sand” Approach: IT and business management typically have no visibility into the overall state of application security.
  • The “It’ll All Work Out Somehow” Approach: Quality assurance and software development groups lack the knowledge and incentives to address critical vulnerabilities early in application development life cycles, where it is most cost-effective.

Reactively securing applications is no longer enough to deal with the ever-growing number of applications and vulnerabilities.

Risk-Based Application Security Management

Managing security is really all about managing risk. You can make application security a strategically managed discipline by following a five-step process:

1. Create an Inventory of Application Assets and Assess Impact

According to a SANS Institute study, more than one-fourth of respondents didn’t know how many applications their organization used or managed. In order for any application security initiative to be effective, it is imperative to begin by understanding which application assets need to be protected. Start by building and understanding the inventory of applications deployed in your organization and ranking these assets by relative business impact.

2. Test the Applications for Vulnerabilities

Conducting vulnerability assessments is important, and automated scanning tools can save a lot of time. But ensuring that you have determined beforehand what assets need to be scanned saves you an aspirin.

There are various scanning technologies and techniques that can each assess different levels of vulnerabilities, but none can solve for all security risks. For instance, dynamic analysis technology provides automated vulnerability discovery but does not show why the vulnerability exists or specifically where it lives — which static analysis tools can. Manual penetration testers bring in the human interface needed to focus on vulnerabilities that require business logic skills for discovery. All three work better together than implementing them piecemeal. Thus, look to adopt multiple tools and techniques to help you manage, discover and remedy insecure applications within your enterprise.

3. Determine the Risks and Prioritize the Vulnerabilities

Once you assess the business criticality of applications and the vulnerabilities within them, you are primed to analyze the risk profile of your portfolio. Ranking applications by their security risk score enables security teams and management contacts to obtain a snapshot of the current state of application security and observe whether they are effectively mitigating risk over time.

4. Remediate the Risks

The risk-rating approach to remediation allows security managers to deploy the right resources to solve for the crown jewels first. While fixing code is the most common and effective way to remediate vulnerabilities, technologies like Web application firewalls, virtual patching and runtime application self-protection (RASP) are good short-term alternatives.

In essence, remediation is not just about fixing individual defects. Security managers should look for opportunities to improve underlying processes.

5. Measure Progress and Demonstrate Compliance

According to the “2015 State of Application Security: Closing the Gap” study by the SANS Institute, 47 percent of respondents (representing the majority) felt that the effectiveness of their application security programs needed improvement, whether evaluated internally (47 percent) or in comparison to other organizations (36 percent).

The five-step approach explained here unlocks a gold mine of trend data that shows progress — or a lack of it — for teams and business units in terms of high-priority vulnerabilities, total vulnerabilities and vulnerabilities of specific types. With the right application security data, security managers can answer questions such as: Is the overall risk posture of the organization improving? Are we allocating resources where they will have the greatest impact reducing business risk?

The Bottom Line

Putting bandages on your application layer vulnerabilities will only delay the inevitable. In order to truly mitigate risk, your organization needs a risk-based, strategic and preventive approach to application security.

You should know how many applications your firm has, develop an effective application security process to keep your resources accountable through discovery and remediation in the SDLC and constantly measure and reassess the needs of your business.

Download a complimentary copy of our Ponemon Institute study to learn more about application security risk management challenges faced by organizations like yours.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…